Now that the EU GDPR (General Data Protection Regulation) has been in effect for over a year, you’ve likely become acquainted with the term ‘personal data’.

But what exactly does personal data mean? And did you know that the GDPR includes a sub-category of sensitive personal data that comes with its own requirements?

If this information is new to you, don’t panic – this blog post explains everything you need to know in a simple and easy-to-understand way.

What is personal data?

In the most basic terms, personal data is any piece of information that someone can use to identify, with some degree of accuracy, a living person.

For example, the email address “” is considered personal data, because it indicates there can only be one John Smith who works at Company X.

But, naturally, it isn’t as simple as that. Each piece of information doesn’t have to be taken on its own.

Organisations typically collect and store multiple pieces of information on data subjects, and the amassed information can be considered personal data if it can be pieced together to identify a likely data subject.

Think of it like a massive game of Guess Who?

Under certain circumstances, any of the following can be considered personal data:

  • A name and surname
  • A home address
  • An email address
  • An identification card number
  • Location data
  • An Internet Protocol (IP) address
  • The advertising identifier of your phone

You might think that someone’s name is always personal data, but as the ICO (Information Commissioner’s Office) explains, it’s not that simple:

“By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”

However, the ICO also notes that names aren’t necessarily required to identify someone:

“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”

What is sensitive personal data?

Sensitive personal data is a specific set of “special categories” that must be treated with extra security. This includes information pertaining to:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data; and
  • Biometric data (where processed to uniquely identify someone).

Sensitive personal data should be held separately from other personal data, preferably in a locked drawer or filing cabinet.

As with personal data generally, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised.

Getting consent

A common misconception about the GDPR is that all organisations need to seek consent to process personal data.

In fact, consent is only one of six lawful grounds for processing personal data, and the strict rules regarding lawful consent requests mean it’s generally the least preferable option.

However, there will be times when consent is the most suitable basis, and organisations need to be aware that they need explicit consent to process sensitive personal data.

Nuances like this are common throughout the GDPR, and any organisation that hasn’t taken the time to study its compliance requirements thoroughly is liable to be tripped up.

This could lead to lasting damage, such as enforcement action, regulatory fines, bad press and loss of customers.


Written by Luke Irwin, writer for IT Governance